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As NASA continues to develop various advanced propulsion technologies for space exploration two factors 
are becoming increasingly dominant in design specifications: increase operational reliability and decrease 
operational cost. One approach that has been proposed to meet these challenges is to incorporate into 
current and future rocket propulsion systems some sort of diagnostic/monitoring capability in the form of 
a Health Monitoring System (HMS). HMS technology offers the promise of increased operational reliability 
through its ability to assess system performance, detect and isolate degradations and/or failures, and modify 
system operation so as to minimize effects on performance. Decreased operational costs are accrued by 
the use of the HMS technology to help automate inspection and checkout procedures and to help minimize 
maintenance activities by transitioning from a maintenance-on-routine basis to a maintenance-on-condition 
basis. 

The block diagram shown in Figure 1(a) illustrates a generic interconnection of a rocket engine (E), 
together with its sensors (S), actuators (A), and controller (C), and a generic HMS. The main functional 
components of the HMS can be classified according to their level of sophistication as follows [6]: 

Safety Monitoring: Assure completion of mission. Simplest level of HMS function. Typi- 
cally takes the form of a red-line checking algorithm which can initiate engine shutdown. 
Currently in use on SSME in the form of FASCOS system. 

Health. Monitoring: Determine condition of engine components during operation and identify 
any anomalous behaviors. Next higher level of HMS function. Possessing some form of 
failure/degradation isolation and accomodation capabilities. Currently under development 
for use on SSME in the form of SAFD [2] and on STME in the form of RECOMS [1]. 

Condition Monitoring: Determine readiness of engine to perform required mission. Most 
sophiticated level of HMS Function. May involve use of trending analysis, artificial intelli- 
gence, etc. Currently an open research area. 


As the descriptions above indicate, the sate-of-the-art in HMS technology is still relatively unsophisti- 
cated. Several interesting issues remain as yet unresolved. The purpose of the research reported here is 
to study, from a systems engineering perspective, the particular issues of analysis and synthesis for generic 
HMS’s such as the one depicted in Figure 1(a). Specific system-theoretic questions of interest include: Can 
one develop analytical methods for the analysis and synthesis of HMS specifications? Given a set of HMS 
specifications, can one develop analytical methods for deciding on the selection and placement of sensors 
to achieve the given specifications? Given a set of HMS specifications and an HMS sensor suite, can one 
develop analytical methods for characterizing the algorithms needed to process the sensor data in order to 
achieve the given specifications? To what extent do the design objectives of a HMS conflict/interact with 
design objectives of a control system? 

The research presented here proposes a system-theoretic framework within which questions like those 
posed above can be studied in a unified manner. In addition, partial answers to the last question posed, i.e., 
the question of control/HMS conflict/interaction, are given as an indication of the potential utility of the 
proposed framework. Finally, it is indicated how the proposed framework can be extended to handle some 
of the other questions raised above. 

The specific issue of the impact of control system design objectives on HMS design objectives and vice 
versa is particularly interesting in that a fundamental objective of control systems is that they be relatively 
insensitive to small changes in the system being controlled (i.e., the so-called robustness issue) whereas it is 
precisely the objective of HMS’s that they be able to sense changes in system behavior. This conflict can be 
more concretely illustrated by considering the block diagram given in Figure 2. It shows a plant 
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together with a compensator K and diagnostic module D. Subsystem Pi defines those plant sensors selected 
for diagnostic purposes, and subsystem Pi defines those plant sensors selected for control purposes. The 
exogenous signal / is representative of a sensor failure, i.e., / = 0 corresponds to nominal sensor behavior 
and / corresponds to an off-nominal condition in one or more of the sensors defined by Po. The goal here 
is to design K to achieve good control performance and to design D so that failures at / can be monitored at 
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d ' the diagnostic module output. Straightforward manipulations yield that the transfer function Mfd from 
/ to d is given by: 

M fd = DP X K{I - P 2 K)~ l . 

This expression clearly indicates that the extent to which the loop gain P 2 K is shaped to achieve control 
objectives has an impact on our ability to monitor failures / at d. Moreover it is clear that K and D 
cannot be designed independently without possible adverse effects to either control performance or diagnostic 
performance* 

The discussion above indicates that an integrated analysis of HMS and control system design is necessary. 
For this purpose the configuration shown in Figure 1 (b), discussed in [4], will be considered. Here T and 
T represent, respectively, the engine system together with its sensors and actuators, and an integrated 
health monitoring and control system (IHMC). They are partitioned conformably with respect to their 
inputs/outputs as follows: 
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Definitions and interpretations of the various signals shown in Figure 1 (b) are listed in Table 1. Off-nominal 
conditions are handled in a manner similar to that shown in Figure 2. Specifically, off-nominal conditions 
are represented by injecting fictitious input signals at 

n = i? + / , n' = i 4* f , w . 

Here /, /' denote, respectively, sensor and actuator failures/degradations, tj, 77 ' denote, respectively, sensor 
and actuator noise, and w denotes internal failures/degradations. Both control and HMS design objectives 
can be stated in terms of these interpretations as indicated in Table 2. 

The motivation for this choice of framework stems from the direct similarity between the generic archi- 
tecture depicted in Figure 1(a) and the structure of the interconnection shown in Figure 1(b). We note 
that this similarity has already been suggested in the literature [5] for the case where the block T has the 
restricted form shown in Figure 1(c). However, this restriction has two severe limitations which make it 
inadequate for use in the present context: First, the fact that y is directly tied to the plant P output implies 
that no distinction is made between those sensors used for control and those used for diagnostics. In actual 
propulsion systems such as the SSME there are always many more sensors available for health monitoring 
than are used for control. Second, the fact that the exogenous plant input tv is restricted to enter at the plant 
output corresponds reflecting respresentative failure inputs to the plant output, thus adding some degree of 
conservatism to this configuration. The results given below are extended to encompass the general T block. 

Using straightforward transfer function analysis methods the interaction effects between the health mon- 
itoring module and the control module can be characterized and quantified. Table 3 summarizes some of the 
key tradeoffs uncovered using this analysis. For example, the first entry illustrates that sensor noise cannot 
be simultaneously rejected at the diagnostic output over the same frequency range that sensor faults are to 
be detected. This, in turn, means that there is a direct tradeoff to be made between sensor noise rejection 
and achievable diagnostic specifications. Similar arguments can be given for the other entries of Table 3, 
and although space constraints do not permit their inclusion here they are fully documented in [3] together 
with a more detailed analysis of the IHMC structure of Figure 1 (b). 

In addition to directly addressing issues related to interaction of health monitoring and controls modules 
the framework associated with Figure 1(b) can be used indirectly to obtain information on the problems 
pertinent to the design of IHMC. As one example, consider the problem of sensor suite selection, i.e., 
the problem of how to select a group of sensors to achieve a given level of health monitoring and control 
performance. Based on physical reasoning a candidate set of sensors can be selected thereby defining the 
entires of T. Once this is accomplished, analysis similar to that above can be used to see how eliminating 
certain sensors effects the overall IHMC performance. In this way trade studies can be formulated to analyze 
optimal sensor suite selection. 
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Figure 1: Generic Architecture, 



Figure 2: “Unintegrated” Health Monitoring and Control? 


Signal 

Interpretation 

Examples 

z 

Engine output variables not sensed for 
IHMC 

Thrust, etc. 

y 

Engine output variables sensed for IHMC 

Pressures, Temperatures, etc. 

w 

Exogenous engine input variables 

Disturbances, internal component fail- 
ures, etc. 

u 

Engine input variables actuated by IHMC 

Actual valve settings, etc. 

z' 

IHMC diagnostic output variables 

Pressures, Temperatures, etc. 

1/ 

IHMC output variables fed to Engine 

Ideal valve settings, etc. 

w' 

Exogenous IHMC input variables 

Controller commands, etc. 

u' 

IHMC input variables from Engine sen- 
sors 

Actual sensor values, etc. 

n, n' 

Exogenous interconnection inputs 

Noise, sensor failures, actuator failures, 
etc. 


Table 1: Signal Interpretations for Figure 1(b). 
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Control Objectives: 

Interconnection should be stable. - 

Noise/Disturbance Rejection => Af w , M wy « 0. 
Command Tracking => M w » y I. 

Control Effort => sized reasonably. 

Satisfy above robustly in the face of modeling errors. 
Health Monitoring Objectives: 

Noise Rejection => A/^/, S 0. 

Command Rejection => M w < z < & 0. 
Failure/Degradation Tracking => « I. 

Satisfy above robustly in the face of modeling errors. 

Table 2: Control and Health Monitoring Objectives. 


Sensor Noise Rejection vs. Sensor Fault Detection: 

Mqz' = Mf z * 

Actuator Noise Rejection vs. Actuator Fault Detection: 

= Mftgi 

Sensor Fault Detection vs. Actuator Fault Detection vs. Internal 
Fault Detection: 

= Mf Z *T22 1 M wz i = 

Table 3: Control/Health Monitoring Objective Conflicts/Interactions. 
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